Role Based Access Control

For Premium-tier organizations, Database Performance Monitor allows restricting user access to data based on roles assigned to teams. This approach is generally referred as Role-based-access-control (RBAC).

Before reading more about RBAC, if you aren’t familiar with how environments and teams work, please make sure you check out the Environments & Teams documentation.

Roles

A Role is a set of actions (or “privileges”) that is granted to a user in a certain context. For example, a role of Read-Only in the “Production” environment grants read access to a user for all non-sensitive data in the environment.

Roles are assigned exclusively to teams. In order to have a user affected by a certain role we must make that user a member of a team for which this role has been assigned to.

Roles are assigned at two levels:

  • at the organization level, where we assign a role to a team in a more general way
  • at the environment level, where we assign a role to a specific environment-team pair, thus making it specific to the environment at hand.

By assigning a role to a team at the organization level (click on “Settings” and then “Teams” under the “Organization Settings” section) you are controlling the default privileges on that team. These actions include things like adding users to your organization, inviting people to a team, managing teams, or creating new environments. (See section “Privileges” below for a detailed list).

By assigning a role to an environment-team pair you can override the default role of a team and grant specific privileges on a per environment basis. To do so select the environment you want to affect in the upper left corner of the UI, then click in “Settings” and then “Teams” under the “Environment Settings” section. For example: if a team of “Developers”, has access to both “Production” and “Staging” environments, you may grant full access to the “Staging” environment, but only read access to the “Production” environment.

Privileges

There are currently four roles available:

  • Owner
  • Read-Write
  • Read-Only (with samples)
  • Read-Only

The Owner role grants full access to an organization. This role is special, and cannot be assigned to teams other than Owners.

The Read-Write role allows users to do things such as update host credentials, add new hosts, and view query samples. It does not allow users to modify user access to an environment.

The Read-Only (with samples) role removes sensitive information, such as credentials and API tokens, but raw query samples are available.

The Read-Only role only grants the privilege of looking at reports in DPM. No sensitive information, such as host credentials, query samples, or API tokens, can be accessed.

Users may belong to one or many teams. If a user belongs to more than one team, their privileges will add up.

The following is a detailed description of the privileges corresponding to each role. The Read-Write role has all of the permissions of the Read-Only role, and the Owner role has all of the permissions of the Read-Write role.

The Read-Only role
env:read Read actions in the environment, such as requesting metrics
acct:licenses:read Read the number of used/total licenses
The Read-Only (with samples) role
env:read Read actions in the environment, such as requesting metrics
acct:licenses:read Read the number of used/total licenses
env:samples:read Read raw query sample data
The Read-Write role
env:write Update actions in the environment, such as starting or stopping agents
env:samples:read Read raw query sample data
env:settings:read Read the environment settings
env:settings:write Update the environment settings such as hosts credentials
acct:licenses:write Update the number of licenses for the account
The Owner role
env:team:add Add teams to the environment
org:config:update Update organization configuration settings
org:env:create Create new environments in the account
org:user:invite Invite users to the organization
org:team:read Read information about the teams in your account
org:team:update Update the teams
org:user:read Read information about the users of your organization
org:user:update Update the users of your organization
acct:cancel Close the account
acct:billing:write Update the billing configuration of the account
acct:auth:update Update the authentication configuration of the account
acct:owner:update Update the owner of the account